Replies: 1 comment 1 reply
-
|
Are you asking how Deno does specifically or how developers do in general? |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Deno specifically |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hi, with all the third party explicit and implicit dependencies you pull in, how do you ensure your supply chain is secure and you don't pull in malicious code?
I'm asking, because I see a lot of really interesting Rust projects pulling in a lot of implicit and explicit crates and I am unsure if there is a economic way to ensure something along the lines of a libxz, node-icp or color.js doesn't happen by a dependency. The reasoning being the assumption that the more code of both different and the same author you pull in, the higher the risk of a supply-chain attack. This is, because you need to trust more persons who could do an attack, or the more code someone maintains, the more likely they are overworked and let something slip through by accident.
I know it's an emotionally charged topic, but I am genuinely curious on how you solve this.
Thank you
Beta Was this translation helpful? Give feedback.
All reactions